A new North Korean hacking group has allegedly developed an online game and sent compromised emails to their targets while posing as game developers and investors, according to a statement from a United States tech giant on Tuesday.
In a recent blog post, Microsoft Threat Intelligence announced that a new North Korean hacking group had been discovered, one that the company dubbed “Moonstone Sleet.” Microsoft has been developing a system of classification that correlates threat actors from specific regions of the world with weather themes. For example, North Korean threat actors are referred to as “Sleet,” while Russian and Chinese hacking groups are tagged with the names “Blizzard” and “Typhoon,” respectively.
The company stated that the hacking group has been carrying out a wide range of financially motivated operations and cyberespionage campaigns that align with the objectives of the North Korean government. The report provided detailed information on malicious activities detected since last February, involving a self-developed, fully functional, downloadable game titled “DeTankWar,’” also known as “DeTankZone,” “DeFiTankWar,” or “TankWarsZone.”
According to Microsoft Threat Intelligence, North Korean hackers sent malicious emails with a link to download the game. Upon being opened, this link would compromise the victim’s device, enabling hackers to steal vital information. To deceive their targets, the hackers impersonated game developers or high-ranking officials from a blockchain company, soliciting additional workforce or investment partners for their play-to-earn game project.
The tech giant explained that the hacking group created game websites and multiple social media accounts to add a layer of superficial legitimacy to their identity. One X account, titled “DetankZone,” shared nearly identical profile images with the account disclosed in the report. The user posted a 16-second video showing four tanks fighting in a forest-themed battleground. The report also noted that the software included features typical to games of this kind, such as a player registration protocol accompanied by an invitation code.
Beyond producing and distributing malicious games, Moonstone Sleet further attempted to infiltrate multiple legitimate companies by posing as software developers. The report did not disclose the names of the companies that were targeted by the hacking group. It did, however, note that the North Korean hackers attacked a defense technology company in December 2023 to steal credentials and other various intellectual properties. Furthermore, the report revealed that the hackers deployed custom ransomware against the company last April in an attempt to disrupt the company’s operations.
“Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns, the robustness of the malicious game, and the use of a new custom ransomware variant are strong indications that this threat actor may be well-resourced,” stated the report. “It will continue to mature, develop, and evolve, positioning itself as a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.”
